Skip Links

Network World

Security Strategies Alert

Sign up for this newsletter now!
Security news and resources from Network World.
DoD offers useful certification guidelines
07/17/08
Jacqueline R. Tregre writes: How much training is enough? The U.S. Department of Defense put its considerable resources into that very question and produced a manual, publicly available, that calls for industry-standard certifications (and implicitly for the training to attain them) for both the technical personnel that actually put hands on systems, and for the management personnel responsible for running an organization's information assurance program.
Biometric blooper?
07/15/08
Frank Platt writes: The U.K. is planning to launch a national biometric identity card next year, along with a national database to include all the citizenry. This card will certainly be convenient when purchasing or banking or to quickly authenticate one's identity. But the whole idea may be deeply flawed.
Verizon data breach report, Part 4: Attack vectors
07/10/08
In my three most recent columns, I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients, entitled "2008 Data Breach Investigations Report." Today, in the fourth and final article in this series, I will look at the findings on attack vectors, called "Common Attack Pathways" in the report.
Verizon data breach report, Part 3: Breach size and source
07/08/08
In my two most recent columns, I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients, entitled "2008 Data Breach Investigations Report." Today I'll look at the research findings concerning breach size and source.
Verizon data breach investigations report, Part 2: Outsider attacks
07/03/08
The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their clients. The team said, 'In a finding that may be surprising to some, most data breaches investigated were caused by external sources.' Today I want to explore the implications of that finding.
Verizon data breach investigations report, Part 1
07/01/08
The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their clients entitled "2008 Data Breach Investigations Report." Today I want to draw readers' attention to the methodology of this landmark study.
Improved security raises threat to the unimproved
06/26/08
Reports on the Mississippi River flooding of recent weeks got me thinking about an issue that should concern organizations which have fallen behind industry standards of improved security in recent times.
Extreme weather and business continuity
06/24/08
Does climate change have any relevance for information assurance and business continuity? My friend and colleague John Orlando, program director of the Master of Science in Business Continuity Management (MSBC) program at Norwich University, thinks so.
Keep pace with vulnerabilities
06/19/08
Keeping track of the changing threat and vulnerability picture is a challenge for any security or network administration team. Threats change because of the constant efforts of Bad Actors who actively seek to exploit known vulnerabilities and to discover new ones. Vulnerabilities change because of changes in software versions, installation of new hardware or new firmware, installation of new software patches, and changes in network topology.
Infowar resources
06/17/08
I found some resources in infrastructure protection and information warfare that might interest some readers. This column will be a bit of a collage of neat infowar stuff that you may have overlooked but that bears attention and even rereading.
LBB2E: Joel Dubin updates his pocket guide
06/12/08
Joel Dubin has just sent me the update of his useful guide to computer security, The Little Black Book of Computer Security. In October 2005, I published a review of the first edition. I liked the book so much I ordered it for the assigned readings in one of the seminars in the MSIA program.
Master of Science in Business Continuity Management
06/10/08
Organizations both large and small are implementing BCM systems. Once relegated to the margins of corporate practice as an aspect of information technology or corporate security, BCM has become recognized as a fundamental aspect of sound business practice.
10 tips for moving e-discovery into the enterprise
06/05/08
StoredIQ writes: If you work for a mid- to large-sized company - say, one with more than $500 million in revenue - you are probably familiar with the problems of e-discovery. Your enterprise may routinely face five or more litigation matters each year, and you have terabytes of unstructured information that you need to sort through in order to find relevant information and place it on litigation hold. Here are 10 tips to choosing an e-discovery solution that can get up and running quickly, solve the problems you need it to, and pay for itself within months.
Useful guides to e-mail archiving
06/03/08
Organizations must balance the need for e-mail archives with the costs of storage, including the increasing difficulties that users face in finding their own messages when they leave their e-mail in undifferentiated electronic piles of ordure. Although e-mail indexing solutions such as Google Desktop may help users locate messages in years of unstructured archives, they don't solve the problem of random deletions that may have legal implications if the organization is served with subpoenas for all documents produced or received in specific data ranges.
Workshop on Economics of Information Security
05/29/08
One of the most difficult problems information-assurance managers face is integrating IA into the financial management architecture underlying modern organizations. Because of the lack of centralized, verifiable reporting on information security breaches and their costs, it is impossible to emulate the actuarial statistics common to other forms of loss avoidance such as insurance, preventive maintenance, and healthcare.
Bordering on insanity
05/27/08
In my last column, I introduced the issue of crossing U.S. borders with encrypted data and advised corporate users to think carefully about whether to do so. Today I want to discuss the implications of the way the U.S. Customs and Border Protection service is demanding decryption keys from travelers and seizing portable electronic devices.
Crossing borders with corporate data
05/22/08
How should organizations handle devices that might cross national borders? One approach is to segregate confidential information to encrypted external disk drives. The rule could then be that the portable computer can leave the country but that the encrypted disk drive cannot.
Expanding roles for the CISO
05/20/08
In this series of three columns, I'm reviewing and commenting on ideas in 'A Seat at the Table for CEOs and CSOs: Driving Profits, Corporate Performance and Business Agility' by Jackie Bassett and Daniel Rothman and edited by Raquel Filipek. Today I'll finish with a brief summary of the rest of the book.
The CISO as strategic resource
05/15/08
There are five key reasons for CEOs to include CISOs in what I would call strategic planning - thinking about long-term, mission-critical goals and global processes.
Building a bridge from the CISO to the CEO
05/13/08
Chief information security officers (CISO), security consultants and other security personnel constantly face the difficulty of reaching across a cultural divide to communicate our concerns to business leaders such as CEOs and their C-level and board colleagues. Here are some resources that can help us do that.
Identity Finder helps prevent identity theft
05/08/08
I recently received a well-crafted press release from Identity Finder. CEO Todd Feinman prepared these tips, which you may find useful for your own internal security newsletters.
Central Ohio InfoSec Summit coming up soon
05/06/08
The Central Ohio ISSA, the Central Ohio ISACA, and the Central Ohio InfraGard chapters have joined together to promote the first annual Central Ohio InfoSec Summit in Columbus on May 13.
Zapping 'zappers'
05/01/08
In cases of suspected embezzlement via software, I think we have to seize the working system, not only make bitwise copies of the data but also create a clone of the entire system using hardware that's as close to the original as possible, and then exercise the clone under tight observation using known inputs as if we were conducting a thoroughgoing software quality assurance inspection.
Zap! You're under arrest
04/29/08
Richard T. Ainsworth, a lecturer at the Boston University School of Law, has written a fascinating report on the use of 'zappers' - programs which divert funds for systematic embezzlement of tax obligations. The paper is 'Zappers: Tax Fraud, Technology and Terrorist Funding.'
Scan ScanSafe's annual report for heuristic experience
04/24/08
Recently, ScanSafe released its 25-page 'Annual Global Threat Report: Trends for January 2007-December 2007.' The report was written by Senior Security Researcher Mary Landesman. Here are some of the highlights of the report.

Videos

rssRss Feed
Save The Date!
What They Are Saying

Investment of a Technology should be 'held off' because there hasn't been enough investment in it yet? Is...- Anonymous

Join the Discussion

Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.

Download the white paper.

Unauthorized applications: Taking back control

Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?

Download the white paper.